With the proliferation in the quantity and types of devices that may be included in an Internet of Things (IoT) ecosystem, particularly in the context of a smart home, it is essential to provide mechanisms to deal with the heterogeneity which such devices encompass. Variations can occur in data formats, frequency of operation, or type of communication protocols supported. The ability to support integration between sensors using a “hub” has become central to address many of these issues. The implementation of such a hub can provide both the ability to act as an aggregator for various sensors, and also limit an attacker’s visibility into locally provisioned sensing capability. This paper introduces EclipseIoT, an adaptive hub which uses dynamically loadable add-on modules to communicate with diverse IoT devices, provides policy-based access control, limits exposure of local IoT devices through cloaking, and offers a canary-function based capability to monitor attack behaviours. Its architecture and implementation are discussed, along with its use within a smart home testbed consisting of commercially available devices such as Phillips Hue Bridge, Samsung Smart Things Hub, TP-Link Smart Plug, and TP-Link Smart Camera. The effectiveness of EclipseIoT is further evaluated by simulating various attacks such as Address Resolution Protocol (ARP) spoofing, Media Access Control (MAC) address spoofing, Man-In-The-Middle (MITM), port scanning, capturing handshakes, sniffing, and Denial of Service (DoS). It is demonstrated that direct attacks upon EclipseIoT components are mitigated due to the security techniques being used.

Introduction

The Internet of Things (IoT) is the system of interconnected electronic devices embedded with software, sensors, actuators, and network connectivity which enable them to connect and exchange data [1]. IoT devices such as smart and wearable devices, home appliances, and alarm and camera systems provide various functionalities which automate and support our daily activities and needs. For instance, smart fitness trackers such as Fitbit allow users to track their physical movements in order to measure and set personal fitness goals. However, IoT devices are not only used in domestic environments, but are also employed in larger networks such as Critical National Infrastructures (CNI). These include concepts that may be necessary for a country to function and upon which our daily life depends on, such as smart cities, intelligent transport, smart grids, and our health care systems. The proliferation of IoT devices in the past decade is demonstrated by how prevalent they have become in our lives. Gartner [2] predicts that by 2020, there will be 20.8 billion IoT devices connected around the world, overtaking the number of personal computers and smartphones combined [3]. These devices are pervasive and have access to sensitive data such as location, usernames, passwords, etc. [4]. Although IoT is considered as being the next ‘Industrial Revolution’, which is shifting how us as individuals, economic entities, and governmental organisations interact with the physical world, such technologies come with enormous security flaws [3, 5, 6, 7]. For instance, a recent study by Hewlett Packard Enterprise [4] investigated the security of 10 of the most popular IoT devices. They discovered that each device had a recklessly high number of security vulnerabilities, each suffering from, on average, 25 issues, including Heartbleed, Denial of Service (DoS), weak passwords, and cross-site scripting. Other surveys have also found similar limitations, such as the OWASP Top 10 IoT Vulnerabilities [8]. Moreover, IoT devices have recently been employed as part of botnets, such as Mirai, and have launched several of the largest Distributed Denial of Service (DDoS) and spam attacks [9]. Given that IoT devices suffer from the aforementioned vulnerabilities and that they are often deeply embedded in networks, they are considered to be the ‘weakest link’ for breaking into a secure infrastructure and have become attractive targets for attacks. As IoT devices have a direct impact on our lives, security and privacy considerations must become a higher priority. Therefore, the need to develop a robust and well-defined security infrastructure, with new systems and protocols that can limit the possible threats related to IoT devices, is greater than ever [10].